name: CI on: push: branches: [main, dev, uat] pull_request: branches: [main, dev, uat] workflow_dispatch: inputs: ref: description: "Branch or ref to run CI against" required: false default: "main" jobs: lint-typecheck: name: Lint & Typecheck runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: pnpm/action-setup@v4 with: version: '9.15.4' - uses: actions/setup-node@v4 with: node-version: 22 cache: pnpm - name: Install dependencies run: pnpm install --frozen-lockfile - name: Typecheck run: | pnpm --filter @groombook/api typecheck pnpm --filter @groombook/db typecheck - name: Lint run: pnpm --filter @groombook/api lint test: name: Test runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: pnpm/action-setup@v4 with: version: '9.15.4' - uses: actions/setup-node@v4 with: node-version: 22 cache: pnpm - name: Install dependencies run: pnpm install --frozen-lockfile - name: Run tests run: pnpm --filter @groombook/api test docker: name: Build & Push Docker Images runs-on: ubuntu-latest needs: [lint-typecheck, test] steps: - uses: actions/checkout@v4 - name: Generate image tag id: version run: | if [ "${{ github.event_name }}" = "pull_request" ]; then TAG="pr-${{ github.event.pull_request.number }}-${GITHUB_SHA::7}" else TAG="$(date -u +%Y.%m.%d)-${GITHUB_SHA::7}" fi echo "tag=$TAG" >> "$GITHUB_OUTPUT" echo "Image tag: $TAG" - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: driver-opts: network=host - name: Log in to Gitea Container Registry uses: docker/login-action@v3 with: registry: git.farh.net username: ${{ gitea.actor }} password: ${{ secrets.REGISTRY_TOKEN }} - name: Build and push API image uses: docker/build-push-action@v6 with: provenance: false context: . file: Dockerfile target: runner push: true tags: | git.farh.net/groombook/api:${{ steps.version.outputs.tag }} ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/api:latest' || '' }} cache-from: type=registry,ref=git.farh.net/groombook/cache:api cache-to: type=registry,ref=git.farh.net/groombook/cache:api,mode=max - name: Build and push Migrate image uses: docker/build-push-action@v6 with: provenance: false context: . file: Dockerfile target: migrate push: true tags: | git.farh.net/groombook/migrate:${{ steps.version.outputs.tag }} ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/migrate:latest' || '' }} cache-from: type=registry,ref=git.farh.net/groombook/cache:migrate cache-to: type=registry,ref=git.farh.net/groombook/cache:migrate,mode=max - name: Smoke test migrate image (blackhole npmjs.org) run: | set -euo pipefail IMAGE="git.farh.net/groombook/migrate:${{ steps.version.outputs.tag }}" docker pull "$IMAGE" docker run --rm \ --add-host registry.npmjs.org:127.0.0.1 \ --entrypoint="" \ "$IMAGE" \ pnpm --version - name: Build and push Seed image uses: docker/build-push-action@v6 with: provenance: false context: . file: Dockerfile target: seed push: true tags: | git.farh.net/groombook/seed:${{ steps.version.outputs.tag }} ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/seed:latest' || '' }} cache-from: type=registry,ref=git.farh.net/groombook/cache:seed cache-to: type=registry,ref=git.farh.net/groombook/cache:seed,mode=max - name: Build and push Reset image uses: docker/build-push-action@v6 with: provenance: false context: . file: Dockerfile target: reset push: true tags: | git.farh.net/groombook/reset:${{ steps.version.outputs.tag }} ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/reset:latest' || '' }} cache-from: type=registry,ref=git.farh.net/groombook/cache:reset cache-to: type=registry,ref=git.farh.net/groombook/cache:reset,mode=max - name: Smoke test seed image (blackhole npmjs.org) run: | set -euo pipefail IMAGE="git.farh.net/groombook/seed:${{ steps.version.outputs.tag }}" docker pull "$IMAGE" # GRO-1985: pnpm must be a real binary, not a Corepack shim, and must # not try to reach registry.npmjs.org on invocation. docker run --rm \ --add-host registry.npmjs.org:127.0.0.1 \ --entrypoint="" \ "$IMAGE" \ sh -c 'set -e; test "$(which pnpm)" = "/usr/local/bin/pnpm"; pnpm --version' echo "seed image: pnpm resolves to /usr/local/bin/pnpm and runs offline ✓" - name: Smoke test reset image (blackhole npmjs.org) run: | set -euo pipefail IMAGE="git.farh.net/groombook/reset:${{ steps.version.outputs.tag }}" docker pull "$IMAGE" # GRO-1985: pnpm must be a real binary, not a Corepack shim, and must # not try to reach registry.npmjs.org on invocation. Validates the # hard requirement from the issue: reset runs offline. docker run --rm \ --add-host registry.npmjs.org:127.0.0.1 \ --entrypoint="" \ "$IMAGE" \ sh -c 'set -e; test "$(which pnpm)" = "/usr/local/bin/pnpm"; echo "HOME=$HOME"; pnpm --version' echo "reset image: pnpm resolves to /usr/local/bin/pnpm, HOME=/tmp, runs offline ✓"